Question about CSP: Wildcard Directive
4,212 views
Skip to first unread message
TeeWeTee
Feb 12, 2021, 12:51:43 PM2/12/21
to OWASP ZAP User Group
In a previous run ZAP flagged our login page as "CSP: Wildcard Directive" because we used "frame-ancestors *;". This I can understand. So we changed that to "frame-ancestors 'self';" (which is a considerable restriction imho) however ZAP still complains about the 'CSP Wildcard Directive'.
In its description it states:
In its description it states:
"The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined"
Evidence:
frame-ancestors 'self';
But 'self' is not overly broad isn't it?
Or does it refer to other (maybe) missing sources? So do I really need to define all or can I use just use default-src?
script-src, script-src-elem, script-src-attr, style-src, style-src-elem,
style-src-attr, img-src, connect-src, frame-src, font-src, media-src,
object-src, manifest-src, worker-src, prefetch-src, form-action
kingthorin+owaspzap
Feb 12, 2021, 7:42:36 PM2/12/21
to OWASP ZAP User Group
If you're complete CSP is "fame-ancestors 'self'" then the full description is:
"The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, frame-ancestors, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action
The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."
script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, frame-ancestors, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action
The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."
So yes the problem is that you have left a bunch of things undefined, which means that anything goes.
Can you just use default-src? Kinda, as long as you also address the directives that don't fallback.
kingthorin+owaspzap
Feb 12, 2021, 7:52:22 PM2/12/21
to OWASP ZAP User Group
Oops I pasted the wrong lines from my UnitTest output. It should have been:
"The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:
script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action
The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."
script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src, prefetch-src, form-action
The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything."
Reply all
Reply to author
Forward
0 new messages